CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

Updating terraform checkpoint provider from 1.4 to 1.6 causing weird apply plans #93

Open LockeColtenPFG opened 3 years ago

LockeColtenPFG commented 3 years ago

image

After bumping from 1.4 to 1.6, the terraform plan that was generated appears to want to modify our existing Access Role objects to some weird syntax

For example

users { ~ selection = [

The next apply after the update caused this to appear in the plan. It switched our selections syntax, preprended adgroup to the name, and removed the hyphens from the existing selection

This happened to every AR object we had defined (30ish)

image

Another oddity we noticed as the source we defined in an AR randomly thought it was cpmiADgroup

image

and wanted to modify itself back to the original value that had never changed

image

Is this expected behavior in 1.6?

chkp-alonshev commented 3 years ago

Hi @LockeColtenPFG, Thank you for submitting this issue, there was a problem with the read function and we fixed it. Both issues you have mentioned still have API related problems.

  1. Selection name: MGMT server adds 'adgroup' prefix to each name and the provider use these names as is. We will try to find a solution for it in the next version.

  2. Source name: access-role API show function does not return the source per object so we cannot currently support many AD groups. For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore. We will allow to use different name on the next provider's version, but note that we need the API to be changed to allow more than one AD group.

Thank you, Alon

deutmeyerbrianpfg commented 2 years ago

By saying you "fixed" it, will the new provider version act like how it did in 1.4.0 and not report all these changes? If yes, can you issue a fix release (like 1.6.1) for this so we don't have to downgrade our provider?

chkp-alonshev commented 2 years ago

Hi @deutmeyerbrianpfg Publishing new version takes time(even if it is a sub-version) we will try to fix and release the version as soon as possible. about your question, We are still working on a fix and I will be able to answer properly after we will fix this issue.

b-diggity commented 2 years ago

Any update on a fix for this?

chkp-alonshev commented 2 years ago

Hi @b-diggity, We are working on this fix, there is no ETA, but it will be published in Q1.

deutmeyerbrianpfg commented 2 years ago

I see PR #95 was created, but a fix for this doesn't appear to be included? Q1 is winding down...is this still going to be fixed this quarter?

chkp-alonshev commented 2 years ago

Hi @deutmeyerbrianpfg , unfortunately this issue will not be fixed soon due to API limitations, I am sorry for saying it will be published Q1. We need to wait for the API to be fixed in order for us to fix this issue properly. as I said before "For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore." hope you can find it useful. We will publish a solution when the API command will allow us to.

I will comment here on any progress, and we will fix this issue when possible. Sorry for the inconvenience. Alon.

deutmeyerbrianpfg commented 2 years ago

Can you post a code example for what you are referring to with CpmiAdGroup?

chkp-alonshev commented 2 years ago

resource "checkpoint_management_access_role" "example" { name = "New Access Role 1" machines { source = "any" selection = ["any"] } users { source = CpmiAdGroup selection = ["AD1", "AD2"] } }

note that this solution will still show the change LockeColtenPFG mentioned in the selection : " For example

users { ~ selection = [

deutmeyerbrianpfg commented 2 years ago

So this code results in changes:

resource "checkpoint_management_access_role" "example" {
  name = "example_ar"
  users {
    source    = "myad.com__AD"
    selection = ["MY GROUP NAME"]
  }
}

Are you saying that that I can change my source to CpmiAdGroup and the validation errors will go away as long as only one group is used in the selection? Like this?:

resource "checkpoint_management_access_role" "example" {
  name = "example_ar"
  users {
    source    = "CpmiAdGroup"
    selection = ["MY GROUP NAME"]
  }
}
chkp-alonshev commented 2 years ago

Hi @deutmeyerbrianpfg sorry for the late response. because of the API issue you will still get a validation error on the selection field as mentioned by LockeColtenPFG. It will only disable the validation error on the source field. I will let you know as soon as we will find a solution to this issue.

watnenatePFG commented 1 year ago

Hi @chkp-alonshev is there still no fix for this? It is causing our pipeline to run very slow due to all the updates it thinks it needs to make each time. Do we need to submit an API enhancement request with our account team? Thanks for keeping after this one.

chkp-royl commented 1 year ago

Hi, This is API issue and not relevant to the provider. It was fix in version R82 and probably will be on the JHFs as well.

Regards, Roy

watnenatePFG commented 1 year ago

Thanks for the reply, Roy!

Are you able to elaborate a little more on what is missing in the API that creates this problem? I'd like to get a formal enhancement request into our account team. This is causing an extreme slowdown on our side, and I'd like to make sure that it is truly incorporated into R82.

It's been almost two years now so I could be mistaken, but I don't recall this being a problem when we first started using this provider. According to the first post of this thread, it looks like something changed between 1.4 and 1.6. Do you recall why the API limitation wasn't a problem until then?

chkp-royl commented 1 year ago

API is missing data for terraform so access-role resource cannot work properly. According to change log, access role resource was changed in v1.5, the resource did not work good before that because incorrect logic of some fields In v1.5 we fixed some bugs in the resource given the missing data we receive from the API but from R82 this issue was resolved.